[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cyrus-sasl2 port question.

To: ports_(_at_)_openbsd_(_dot_)_org
Subject: Cyrus-sasl2 port question.
From: "Denis V. Suhanov" <den_(_at_)_suhoff_(_dot_)_ru>
Date: Tue, 9 Sep 2003 23:20:03 -0700
Organization: Suhoff.ru
Reply-to: "Denis V. Suhanov" <den_(_at_)_suhoff_(_dot_)_ru>

Folks,

I am really sorry to disturb you with a stupid question, but I just do
not  know  where  to  ask  (went through the maillist archieves, tried
google, asked people on cyrus-sasl maillist - everything failed). I am
using  3.3-stable  and I am having difficulties with cyrus-sasl2 port.
Used  to have cyrus-sasl 1.5 before and my SMTP auth worked through it
just fine.

Now  in order to install Cyrus-IMAP I needed to upgrade to sasl2. Here
is the problem. I am using OpenBSD 3.3 and Sendmail 8.12.9. My goal is
to  have  a list of users in SASLDB and use sasl2 to authenticate both
SMTP  and  IMAP  users  from  a  single source. I installed cyrus-sasl
2.1.11  (ports  3.3-stable),  recompiled  Sendmail with all the proper
optinos  (-DSASL=2  etc.) and everything seems to be working. However,
whenever  I  am  trying to add a new user using sasldbpasswd2, here is
what I am getting in my /var/log/authlog:

# /usr/local/sbin/saslpasswd2  -d -u domain.org user
# cat /var/log/authlog
Sep  7 12:11:28 station saslpasswd2: no user in db
Sep  7 12:11:28 station saslpasswd2: Couldn't update db
Sep  7 12:11:28 station last message repeated 2 times
Sep  7 12:11:28 station saslpasswd2: OTP: set secret for user

But sasldblistpasswd2 show that everything is OK:

#/usr/local/sbin/sasldblistusers2
user_(_at_)_domain_(_dot_)_org: cmusaslsecretOTP
user_(_at_)_domain_(_dot_)_org: userPassword

More then, whenever I am trying to perform Sendmail authorization, it
works just fine, except that I get a message in my authlog (and on the
local console):

sm-mta[6083]: no user in db

but  the  authorization  works  just fine. SASL authorizes whatever is
there  in  /etc/saldb2.db  and  returns  "relaying denied" to anything
else. Here is a piece of /var/log/maillog:

Sep  7 12:15:43 station sm-mta[6083]: STARTTLS=server, relay=pc.domain
[192.168.1.3],  version=TLSv1/SSLv3,  verify=NO, cipher=DES-C BC3-SHA,
bits=168/168

Sep  7  12:15:43  station  sm-mta[6083]:  AUTH=server, relay=pc.domain
[192.168.1.3], authid=user_(_at_)_domain_(_dot_)_org, mech=CRAM-MD5, bits=0

Sep     7     12:15:43     station    sm-mta[6083]:    h87JFgIu006083:
from=<user_(_at_)_domain_(_dot_)_org>,       size=507,       class=0,       nrcpts=1,
msgid=<18247398125.200      30907121541_(_at_)_domain_(_dot_)_org>,      proto=ESMTP,
daemon=MTA, relay=pc.domain [192.168.1.3]

Sep     7     12:15:49    station    sm-mta[23047]:    h87JFgIu006083:
to=<some-user_(_at_)_some-mail_(_dot_)_org>,    ctladdr=<user_(_at_)_domain_(_dot_)_org>   (1000/0),
delay=00:00:06,    xd    elay=00:00:06,    mailer=esmtp,    pri=30403,
relay=mail.some-mail.org.    [63.107.13.118],   dsn=2.0.0,   stat=Sent
(h87JFmGK024556 Message accepted for delivery)

Another  thing that I've noticed is that LOGIN (plain passwords, I had
them  turned  on  only  in  TSL  tunnel)  authorization  does not work
anymore. I do not know whether I've done something wrong, whether I am
using  a  wrong  version  of sasl3 port or I am just plain stupid, but
nothing I've tried to fix it seems to help.

Here is my /usr/local/lib/sasl2/Sendmail.conf:

# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb

Here is a SMTP-AUTH-related part of my sendmail.mc:

dnl only allow PLAIN and LOGIN if security layer is active
dnl (we do not allow users to use plaintext passwords
dnl  outside of TLS session)
define(`confAUTH_OPTIONS', `A p y')dnl

dnl Real mail clients use encrypted passwords in SMTP AUTH
dnl (such as DIGEST and CRAM), but Outlook and Outlook Express
dnl only know LOGIN method. So we allow it, but only in TLS
dnl (see the confAUTH_OPTIONS section)
define(`confAUTH_MECHANISMS', `LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN DIGEST-MD5 CRAM-MD5')dnl

(all  the above configuration used to work without a slightest hint of
problem with cyrus-sasl 1.5, by the way)

I tried to use another, newer version of cyrus-sasl (got it from their
site),  but it seems like there are some problems with compiling it on
3.3-current.

The  -current  version  of  ports  can  not be compiled on 3.3-RELEASE
(found  a  note  on that in the maillist archive).

Thank  you  all  very  much, I would really really appreciate any help
with  that  (maybe  some  clues  what  can  I do to find it out myself
without  taking  other  people's  time?). And let me thank you all for
making  a  great  job  porting  applications  to such a great thing as
OpenBSD.

-- 
Sincerely yours,
 Denis Suhanov                                    mailto:den_(_at_)_suhoff_(_dot_)_ru

Prev by Date: Someone working on a GQ port?
Next by Date: Re: Someone working on a GQ port?
Previous by thread: Re: Someone working on a GQ port?
Next by thread: ESR's comparator
Index(es):
- Date
- Thread

Visit your host, monkey.org